Doc 9303 Machine Readable Travel Documents Eighth Edition, 2021 Part 12: Public Key Infrastructure for MRTDs Approved by and published under the authority of the Secretary General INTERNATIONAL CIVIL AVIATION ORGANIZATION Doc 9303 Machine Readable Travel Documents Eighth Edition, 2021 Part 12: Public Key Infrastructure for MRTDs Approved by and published under the authority of the Secretary General INTERNATIONAL CIVIL AVIATION ORGANIZATION Published in separate English, Arabic, Chinese, French, Russian and Spanish editions by the INTERNATIONAL CIVIL AVIATION ORGANIZATION 999 Robert-Bourassa Boulevard, Montréal, Quebec, Canada H3C 5H7 Downloads and additional information are available at www.icao.int/security/mrtd Doc 9303, Machine Readable Travel Documents Part 12 — Public Key Infrastructure for MRTDs Order No.: 9303P12 ISBN 978-92-9265-422-1 (print version) © ICAO 2021 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, without prior permission in writing from the International Civil Aviation Organization. AMENDMENTS Amendments are announced in the supplements to the Products and Services Catalogue; the Catalogue and its supplements are available on the ICAO website at www.icao.int. The space below is provided to keep a record of such amendments. RECORD OF AMENDMENTS AND CORRIGENDA AMENDMENTS CORRIGENDA No. Date Entered by No. Date Entered by The designations employed and the presentation of the material in this publication do not imply the expression of any opinion whatsoever on the part of ICAO concerning the legal status of any country, territory, city or area or of its authorities, or concerning the delimitation of its frontiers or boundaries. (iii) TABLE OF CONTENTS 1. SCOPE .............................................................................................................................................. 1 2. OVERVIEW OF THE PUBLIC KEY INFRASTRUCTURE .................................................................. 1 3. ROLES AND RESPONSIBILITIES ..................................................................................................... 3 3.1 eMRTD PKI .......................................................................................................................... 3 3.2 Authorization PKI .................................................................................................................. 6 4. KEY MANAGEMENT ......................................................................................................................... 9 4.1 eMRTD PKI .......................................................................................................................... 9 4.2 Authorization PKI .................................................................................................................. 16 5. DISTRIBUTION MECHANISMS ......................................................................................................... 18 5.1 PKD Distribution Mechanism ................................................................................................ 20 5.2 Bilateral Exchange Distribution Mechanism .......................................................................... 21 5.3 Master List Distribution Mechanism ...................................................................................... 21 6. PKI TRUST AND VALIDATION ......................................................................................................... 22 6.1 eMRTD PKI .......................................................................................................................... 22 6.2 Authorization PKI .................................................................................................................. 25 7. CERTIFICATE AND CRL PROFILES ................................................................................................ 25 7.1 eMRTD PKI .......................................................................................................................... 25 7.2 Authorization PKI .................................................................................................................. 38 8. SPOC PROTOCOL ............................................................................................................................ 46 8.1 SPOC Related Structures ..................................................................................................... 47 8.2 SPOC Protocol Messages .................................................................................................... 48 8.3 Web Service ......................................................................................................................... 53 9. CSCA MASTER LIST STRUCTURE .................................................................................................. 59 9.1 SignedData Type .................................................................................................................. 59 9.2 ASN.1 Master List Specification ........................................................................................... 60 10. Deviation List Structure.................................................................................................................... 61 10.1 SignedData Type .................................................................................................................. 61 10.2 ASN.1 Specification .............................................................................................................. 63 (v) (vi) Machine Readable Travel Documents Page 11. REFERENCES (NORMATIVE) ........................................................................................................... 65 APPENDIX A TO PART 12. LIFETIMES (INFORMATIVE) ...................................................................... App A-1 A.1 Example 1 ............................................................................................................................. App A-1 A.2 Example 2 ............................................................................................................................. App A-1 A.3 Example 3 ............................................................................................................................. App A-2 APPENDIX B TO PART 12. CERTIFICATE AND CRL PROFILE REFERENCE TEXT (INFORMATIVE) ................................................................................................................................. App B-1 APPENDIX C TO PART 12. EARLIER CERTIFICATE PROFILES (INFORMATIVE) .............................. App C-1 APPENDIX D TO PART 12. RFC 5280 VALIDATION COMPATIBILITY (INFORMATIVE) ..................... App D-1 D.1 Steps Relevant to eMRTD .................................................................................................... App D-1 D.2 Steps Not Required by eMRTD ............................................................................................ App D-5 D.3 Modifications required to process CRLs ............................................................................... App D-6 APPENDIX E TO PART 12. LDS2 EXAMPLE (INFORMATIVE) .............................................................. App E-1 ______________________ 1. SCOPE Part 12 of Doc 9303 defines the Public Key Infrastructure (PKI) for the eMRTD application. Requirements for issuing States or organizations are specified, including operation of a Certification Authority (CA) that issues certificates and Certificate Revocation Lists (CRLs). Requirements for receiving States and their Inspection Systems validating those certificates and CRLs are also specified. The Eighth Edition of Doc 9303 incorporates the specifications for Visible Digital Seals (known as VDS) and for the optional Travel Records, Visa Records and Additional Biometric Applications (known as LDS2) as an extension of the mandatory eMRTD application (known as LDS1). Doc 9303-12 shall be read in conjunction with: • Doc 9303-10 — Logical Data Structure (LDS) for Storage of Biometrics and Other Data in the Contactless Integrated Circuit (IC); • Doc 9303-11 — Security Mechanisms for MRTDs; and • Doc 9303-13 — Visible Digital Seals. 2. OVERVIEW OF THE PUBLIC KEY INFRASTRUCTURE The eMRTD Public Key Infrastructure (PKI) enables the creation and subsequent verification of digital signatures on eMRTD objects, including the Document Security Object (SOD) to ensure the signed data is authentic and has not been modified. Revocation of a certificate, failure of the certification path validation procedure or failure of digital signature verification does not on its own cause an eMRTD to be considered invalid. Such a failure means that the electronic verification of the integrity and authenticity of the LDS data has failed and other non-electronic mechanisms could then be used to make that determination as part of the overall inspection of the eMRTD. The eMRTD PKI is much simpler than more generic multi-application PKIs such as the Internet PKI defined in [RFC 5280]. In the eMRTD PKI, each issuing State/Authority establishes a single Certification Authority (CA) that issues all certificates directly to end-entities, including Document Signers. These CAs are referred to as Country Signing Certification Authorities (CSCAs). There are no other CAs in the infrastructure. Receiving States establish trust directly in the keys/certificates of each issuing State or organization’s CSCA. The eMRTD PKI is based on generic PKI standards including